gistfile1.txt

-------------------------------------------------------
CryptoLocker attack CVE-2020-3992
Workaround for data recovery for linux vm`s
-------------------------------------------------------
References:
  - https://kb.vmware.com/s/article/1002511
  - https://www.simplified.guide/linux/disk-recover-partition-table

Step 1:
Create a new Virtual Machine on the same EXSI host that was affected. i useed debian 10

Step 2:
SSH login into the affected esxi host

Step 3:
# Go toy your datastore.
cd /your/datastore/mount/point
# Make a copy of the affected VM
mkdir OldVm_Recovery
cp OldVm/* OldVm_Recovery/ -r

Step 4:
cd OldVm_Recovery
# List all files
$ ls -la
-rw-------  1 root root 123456789 Feb  3 08:47 old-vm-flat.vmdk

# Create a new VMDk file
$ vmkfstools -c 123456789 -a lsilogic -d thin temp.vmdk // replace 123456789 with the size from ls -la output

# Remove temp-flat.vmdk
rm temp-flat.vmdk

# Rename newly created temp.vmdk
# The neme must be the same as flat file, without "-flat".
ec.: 
   - Flat file  old-vm-flat.vmdk
   - WMDK file: old-vm.vmdk
mvtemp.vmdk old-vm.vmdk

# Edit vmdk file
vi old-vm.vmdk
----------------------------------------------
# Change this line from
RW 209715201 VMFS "temp-flat.vmdk"
# To
RW 209715201 VMFS "old-vm-flat.vmdk"
----------------------------------------------
# Delete this line
ddb.thinProvisioned = "1"
----------------------------------------------

Step 5:
# Check the vmdk file, not *flat.vmdk
$ vmkfstools -e old-vm.vmdk

if everithing is ok go to the next step :D

Step 6:
# add old-vm.vmdk as additional disk to the Linux VM created at "Step 1"
# Login into the vm and install testdisk tool
$ apt install --assume-yes testdisk

Now follow the procedure from "https://www.simplified.guide/linux/disk-recover-partition-table" in order to rebuild partition table

if you are lucky, now you cand mount that disk and recover data from it.